The HSTRING returned by AudioPlaybackConnection::DeviceId causes a double free error.

[littrick]

Summary

While utilizing the AudioPlaybackConnection::StateChanged callback method, a runtime crash with exit code 0xc0000005 (STATUS_ACCESS_VIOLATION) was observed in the callback routine. Debugging analysis indicates that the destruction (drop) of the HSTRING object returned by AudioPlaybackConnection::DeviceId will directly free the DeviceId member variable of the AudioPlaybackConnection instance, thus triggering a double free error. This issue is reliably reproducible by a single normal invocation of the DeviceId method. During the debugging session of the attached reproduction code, an Access violation error was raised during the deallocation of the connection object. Below is the output captured from WinDbg:

Microsoft (R) Windows Debugger Version 10.0.22621.755 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: target\\debug\\main.exe

************* Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       SRV*C:\Symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*C:\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
ModLoad: 00007ff6`0d4b0000 00007ff6`0d4f6000   main.exe
ModLoad: 00007fff`63e50000 00007fff`64048000   ntdll.dll
ModLoad: 00007fff`0e9d0000 00007fff`0ea44000   C:\Windows\System32\verifier.dll
Page heap: pid 0x69A0: page heap enabled with flags 0x3.
ModLoad: 00007fff`627b0000 00007fff`62872000   C:\Windows\System32\KERNEL32.DLL
ModLoad: 00007fff`614e0000 00007fff`617d6000   C:\Windows\System32\KERNELBASE.dll
ModLoad: 00007fff`63ab0000 00007fff`63e04000   C:\Windows\System32\combase.dll
ModLoad: 00007fff`61b30000 00007fff`61c30000   C:\Windows\System32\ucrtbase.dll
ModLoad: 00007fff`62d20000 00007fff`62e40000   C:\Windows\System32\RPCRT4.dll
ModLoad: 00007fff`62900000 00007fff`629cd000   C:\Windows\System32\oleaut32.dll
ModLoad: 00007fff`618a0000 00007fff`6193d000   C:\Windows\System32\msvcp_win.dll
ModLoad: 00007fff`49c80000 00007fff`49c9e000   C:\Windows\SYSTEM32\VCRUNTIME140.dll
ModLoad: 00007fff`5fcc0000 00007fff`5fcd2000   C:\Windows\SYSTEM32\kernel.appcore.dll
ModLoad: 00007fff`62710000 00007fff`627ae000   C:\Windows\System32\msvcrt.dll
ModLoad: 00007fff`617e0000 00007fff`61862000   C:\Windows\System32\bcryptPrimitives.dll
ModLoad: 00007fff`637b0000 00007fff`63859000   C:\Windows\System32\clbcatq.dll
ModLoad: 00007fff`538a0000 00007fff`53933000   C:\Windows\System32\Windows.Media.Devices.dll
ModLoad: 00007fff`62200000 00007fff`6229f000   C:\Windows\System32\sechost.dll
ModLoad: 00007fff`61e40000 00007fff`61e67000   C:\Windows\System32\bcrypt.dll
ModLoad: 00007fff`61940000 00007fff`6198e000   C:\Windows\System32\cfgmgr32.dll
ModLoad: 00007fff`63a00000 00007fff`63aad000   C:\Windows\System32\shcore.dll
ModLoad: 00007fff`5ade0000 00007fff`5ae65000   C:\Windows\System32\MMDevAPI.DLL
ModLoad: 00007fff`61230000 00007fff`61263000   C:\Windows\System32\DEVOBJ.dll
ModLoad: 00007fff`3f820000 00007fff`3f8a7000   C:\Windows\System32\Windows.Devices.Enumeration.dll
ModLoad: 00007fff`5d200000 00007fff`5d2f4000   C:\Windows\System32\PROPSYS.dll
ModLoad: 00007fff`3f730000 00007fff`3f7d6000   C:\Windows\System32\StructuredQuery.dll
ModLoad: 00007fff`62e60000 00007fff`63001000   C:\Windows\System32\user32.dll
ModLoad: 00007fff`61870000 00007fff`61892000   C:\Windows\System32\win32u.dll
ModLoad: 00007fff`62b00000 00007fff`62b2b000   C:\Windows\System32\GDI32.dll
ModLoad: 00007fff`61990000 00007fff`61aa9000   C:\Windows\System32\gdi32full.dll
ModLoad: 00007fff`63780000 00007fff`637af000   C:\Windows\System32\IMM32.DLL
ModLoad: 00007fff`613d0000 00007fff`613f4000   C:\Windows\System32\profapi.dll
ModLoad: 00007fff`3ea40000 00007fff`3eaf7000   C:\Windows\System32\MSWB70804.dll
ModLoad: 00007fff`3e520000 00007fff`3e86f000   C:\Windows\system32\NL7Data0804.dll
ModLoad: 00007fff`3bdb0000 00007fff`3bdd0000   C:\Windows\System32\DevDispItemProvider.dll
ModLoad: 00007fff`58e00000 00007fff`58e0e000   C:\Windows\System32\DDORes.dll
ModLoad: 00007fff`52b80000 00007fff`52b88000   C:\Windows\System32\DefaultDeviceManager.dll
ModLoad: 00007fff`63990000 00007fff`639eb000   C:\Windows\System32\SHLWAPI.dll
ModLoad: 00007fff`5cdf0000 00007fff`5cf47000   C:\Windows\System32\WinTypes.dll
ModLoad: 00007fff`39b40000 00007fff`39bbf000   C:\Windows\System32\OneCoreCommonProxyStub.dll
(69a0.653c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
combase!operator& [inlined in combase!WindowsDeleteString+0xe]:
00007fff`63b012ce f60101          test    byte ptr [rcx],1 ds:0000024d`76928eb0=??
0:000> k
 # Child-SP          RetAddr               Call Site
00 (Inline Function) --------`--------     combase!operator& [onecore\com\combase\winrt\string\HstringHeaderInternal.h @ 40] 
01 (Inline Function) --------`--------     combase!CHSTRINGUtil::IsStringReference [onecore\com\combase\winrt\string\StringUtil.inl @ 135] 
02 (Inline Function) --------`--------     combase!CHSTRINGUtil::Release [onecore\com\combase\winrt\string\StringUtil.inl @ 35] 
03 000000a6`9651f500 00007fff`3f83f9d9     combase!WindowsDeleteString+0xe [onecore\com\combase\winrt\string\string.cpp @ 150] 
04 (Inline Function) --------`--------     Windows_Devices_Enumeration!Windows::Internal::String::{dtor}+0x10 [onecore\internal\com\inc\windowsstringp.h @ 139] 
05 (Inline Function) --------`--------     Windows_Devices_Enumeration!BaseObject::{dtor}+0x39 [onecoreuap\base\devices\rtenum\dllsrv\BaseObject.h @ 102] 
06 000000a6`9651f530 00007fff`3f840274     Windows_Devices_Enumeration!Microsoft::WRL::Details::RuntimeClassImpl<Microsoft::WRL::RuntimeClassFlags<3>,1,1,0,Windows::Devices::Enumeration::IDeviceInformation,Windows::Devices::Enumeration::IDeviceInformation2,Windows::Devices::Enumeration::Internal::IDeviceInformation3,BaseObject>::~RuntimeClassImpl<Microsoft::WRL::RuntimeClassFlags<3>,1,1,0,Windows::Devices::Enumeration::IDeviceInformation,Windows::Devices::Enumeration::IDeviceInformation2,Windows::Devices::Enumeration::Internal::IDeviceInformation3,BaseObject>+0x59 [onecore\external\sdk\inc\wrl\implements.h @ 2290] 
07 000000a6`9651f560 00007fff`3f845ddf     Windows_Devices_Enumeration!DeviceInformationServer::`scalar deleting destructor'+0x14
*** WARNING: Unable to verify checksum for main.exe
08 000000a6`9651f590 00007ff6`0d4be956     Windows_Devices_Enumeration!Microsoft::WRL::Details::RuntimeClassImpl<Microsoft::WRL::RuntimeClassFlags<3>,1,1,0,Windows::Devices::Enumeration::IDeviceInformation,Windows::Devices::Enumeration::IDeviceInformation2,Windows::Devices::Enumeration::Internal::IDeviceInformation3,BaseObject>::Release+0x5f [onecore\external\sdk\inc\wrl\implements.h @ 2046] 
09 000000a6`9651f5c0 00007ff6`0d4bdfee     main!windows_core::unknown::impl$2::drop+0xe6 [C:\Users\aws\.cargo\registry\src\index.crates.io-1949cf8c6b5b557f\windows-core-0.62.2\src\unknown.rs @ 46] 
0a 000000a6`9651f630 00007ff6`0d4b271e     main!core::ptr::drop_in_place<windows_core::unknown::IUnknown>+0xe [C:\Users\aws\.rustup\toolchains\nightly-x86_64-pc-windows-msvc\lib\rustlib\src\rust\library\core\src\ptr\mod.rs @ 805] 
0b 000000a6`9651f660 00007ff6`0d4b3d02     main!core::ptr::drop_in_place<windows::Devices::Enumeration::DeviceInformation>+0xe [C:\Users\aws\.rustup\toolchains\nightly-x86_64-pc-windows-msvc\lib\rustlib\src\rust\library\core\src\ptr\mod.rs @ 805] 
0c 000000a6`9651f690 00007ff6`0d4b29db     main!main::main+0x692 [C:\MYFILE\project\Rust\playground\windows-rs-bug\src\bin\main.rs @ 28] 
0d 000000a6`9651f950 00007ff6`0d4b2e0e     main!core::ops::function::FnOnce::call_once<void (*)(),tuple$<> >+0xb [C:\Users\aws\.rustup\toolchains\nightly-x86_64-pc-windows-msvc\lib\rustlib\src\rust\library\core\src\ops\function.rs @ 250] 
0e (Inline Function) --------`--------     main!core::hint::black_box [C:\Users\aws\.rustup\toolchains\nightly-x86_64-pc-windows-msvc\lib\rustlib\src\rust\library\core\src\hint.rs @ 482] 
0f 000000a6`9651f990 00007ff6`0d4b2df1     main!std::sys::backtrace::__rust_begin_short_backtrace<void (*)(),tuple$<> >+0xe [C:\Users\aws\.rustup\toolchains\nightly-x86_64-pc-windows-msvc\lib\rustlib\src\rust\library\std\src\sys\backtrace.rs @ 169] 
10 000000a6`9651f9d0 00007ff6`0d4ca5df     main!std::rt::lang_start::closure$0<tuple$<> >+0x11 [C:\Users\aws\.rustup\toolchains\nightly-x86_64-pc-windows-msvc\lib\rustlib\src\rust\library\std\src\rt.rs @ 206] 
11 (Inline Function) --------`--------     main!std::rt::lang_start_internal::closure$0+0x95 [/rustc/fcf67da039f42e3905cf6f69e33304299c45149f/library\std\src\rt.rs @ 175] 
12 (Inline Function) --------`--------     main!std::panicking::catch_unwind::do_call+0x95 [/rustc/fcf67da039f42e3905cf6f69e33304299c45149f/library\std\src\panicking.rs @ 581] 
13 (Inline Function) --------`--------     main!std::panicking::catch_unwind+0x95 [/rustc/fcf67da039f42e3905cf6f69e33304299c45149f/library\std\src\panicking.rs @ 544] 
14 (Inline Function) --------`--------     main!std::panic::catch_unwind+0x95 [/rustc/fcf67da039f42e3905cf6f69e33304299c45149f/library\std\src\panic.rs @ 359] 
15 000000a6`9651fa10 00007ff6`0d4b2dda     main!std::rt::lang_start_internal+0xaf [/rustc/fcf67da039f42e3905cf6f69e33304299c45149f/library\std\src\rt.rs @ 171] 
16 000000a6`9651faa0 00007ff6`0d4b4069     main!std::rt::lang_start<tuple$<> >+0x3a [C:\Users\aws\.rustup\toolchains\nightly-x86_64-pc-windows-msvc\lib\rustlib\src\rust\library\std\src\rt.rs @ 211] 
17 000000a6`9651fb00 00007ff6`0d4dbd60     main!main+0x19
18 (Inline Function) --------`--------     main!invoke_main+0x22 [D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 78] 
19 000000a6`9651fb30 00007fff`627c7374     main!__scrt_common_main_seh+0x10c [D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 288] 
1a 000000a6`9651fb70 00007fff`63e9cc91     KERNEL32!BaseThreadInitThunk+0x14
1b 000000a6`9651fba0 00000000`00000000     ntdll!RtlUserThreadStart+0x21

Crate manifest

[package]
name = "windows-rs-bug"
version = "0.1.0"
edition = "2024"

[dependencies]
windows = { version = "0.62.2", features = ["Devices_Enumeration", "Media_Audio"] }

Crate code

use windows::{Devices::Enumeration::DeviceInformation, Media::Audio::*};

fn main() {
    let selector = AudioPlaybackConnection::GetDeviceSelector().unwrap();
    let all_device = DeviceInformation::FindAllAsyncAqsFilter(&selector)
        .unwrap()
        .join()
        .unwrap()
        .into_iter()
        .collect::<Vec<_>>();

    for device in all_device {
        let device_id = device.Id().unwrap();
        println!("Creating connection for device: {}", device_id);
        let connection = AudioPlaybackConnection::TryCreateFromId(&device_id).unwrap();

        {
            // This might lead to a double free error.
            let _device_id = connection.DeviceId().unwrap();
        }

        connection.Start().unwrap();
        if let AudioPlaybackConnectionOpenResultStatus::Success =
            connection.Open().unwrap().Status().unwrap()
        {
            println!("Connection opened successfully.");
        }
    } // Drop connections here. Access violation happens inside drop.
}

[littrick]

I've fixed this issue. Can I submit a pull request?

[riverar]

Thanks for the detailed bug report!

The disassembly of Windows.Media.Devices!Windows::Media::Audio::AudioPlaybackConnection::get_DeviceId shows:

Windows::Media::Audio::AudioPlaybackConnection::get_DeviceId(...) {
  // ...

  *value = this->m_deviceId.hstr_;

  // ...
}

The API fails to increment the reference count (via WindowsDuplicateString) and instead returns a pointer to its internal member directly. This ultimately results in a double-free when both the caller and the object attempt to free the same HSTRING.

This isn't a bug in windows-rs but rather in the OS itself. You can work around this bug by manually+immediately duplicating the HSTRING with WindowsDuplicateString. Perhaps something like this (untested):

let device_id_raw = connection.DeviceId().unwrap();
let mut device_id_safe = HSTRING::default();
unsafe {
    WindowsDuplicateString(&device_id_raw, &mut device_id_safe).ok().unwrap();
}
drop(device_id_raw);

I filed an issue in Feedback Hub for you and created an issue in my repository for external tracking (riverar/community-windows-bugs#5).

I also noticed you modified the automatically-generated bindings in your code. Any manual changes to generated code will be lost when the crate is regenerated or updated.